[PATCH] hw/net/smc91c111: Ignore attempt to pop from empty RX fifo

[PATCH] hw/net/smc91c111: Ignore attempt to pop from empty RX fifo

[Peter Maydell]

The SMC91C111 includes an MMU Command register which permits
the guest to remove entries from the RX FIFO. The datasheet
does not specify what happens if the guest tries to do this
when the FIFO is already empty; there are no status registers
containing error bits which might be applicable.

Currently we don't guard at all against pop of an empty
RX FIFO, with the result that we allow the guest to drive
the rx_fifo_len index to negative values, which will cause
smc91c111_receive() to write to the rx_fifo[] array out of
bounds when we receive the next packet.

Instead ignore attempts to pop an empty RX FIFO.

Cc: qemu-stable@nongnu.org
Fixes: 80337b66a8e7 ("NIC emulation for qemu arm-softmmu")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2780
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/net/smc91c111.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/hw/net/smc91c111.c b/hw/net/smc91c111.c
index b18d5c23c39..0e13dfa18b2 100644
--- a/hw/net/smc91c111.c
+++ b/hw/net/smc91c111.c
@@ -182,6 +182,15 @@ static void smc91c111_pop_rx_fifo(smc91c111_state *s)
 {
     int i;
 
+    if (s->rx_fifo_len == 0) {
+        /*
+         * The datasheet doesn't document what the behaviour is if the
+         * guest tries to pop an empty RX FIFO, and there's no obvious
+         * error status register to report it. Just ignore the attempt.
+         */
+        return;
+    }
+
     s->rx_fifo_len--;
     if (s->rx_fifo_len) {
         for (i = 0; i < s->rx_fifo_len; i++)
-- 
2.34.1

Re: [PATCH] hw/net/smc91c111: Ignore attempt to pop from empty RX fifo

[Philippe Mathieu-Daudé]

On 7/2/25 16:11, Peter Maydell wrote:
> The SMC91C111 includes an MMU Command register which permits
> the guest to remove entries from the RX FIFO. The datasheet
> does not specify what happens if the guest tries to do this
> when the FIFO is already empty; there are no status registers
> containing error bits which might be applicable.
> 
> Currently we don't guard at all against pop of an empty
> RX FIFO, with the result that we allow the guest to drive
> the rx_fifo_len index to negative values, which will cause
> smc91c111_receive() to write to the rx_fifo[] array out of
> bounds when we receive the next packet.
> 
> Instead ignore attempts to pop an empty RX FIFO.
> 
> Cc: qemu-stable@nongnu.org
> Fixes: 80337b66a8e7 ("NIC emulation for qemu arm-softmmu")
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2780
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
> ---
>   hw/net/smc91c111.c | 9 +++++++++
>   1 file changed, 9 insertions(+)

Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>

Re: [PATCH] hw/net/smc91c111: Ignore attempt to pop from empty RX fifo

[Philippe Mathieu-Daudé]

On 7/2/25 16:11, Peter Maydell wrote:
> The SMC91C111 includes an MMU Command register which permits
> the guest to remove entries from the RX FIFO. The datasheet
> does not specify what happens if the guest tries to do this
> when the FIFO is already empty; there are no status registers
> containing error bits which might be applicable.
> 
> Currently we don't guard at all against pop of an empty
> RX FIFO, with the result that we allow the guest to drive
> the rx_fifo_len index to negative values, which will cause
> smc91c111_receive() to write to the rx_fifo[] array out of
> bounds when we receive the next packet.
> 
> Instead ignore attempts to pop an empty RX FIFO.
> 
> Cc: qemu-stable@nongnu.org
> Fixes: 80337b66a8e7 ("NIC emulation for qemu arm-softmmu")
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2780
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
> ---
>   hw/net/smc91c111.c | 9 +++++++++
>   1 file changed, 9 insertions(+)

Patch queued, thanks.